The Concept of Information Assurance - Research Paper Example

?Information Assurance: Of Definitions and Particulars Introduction Information is becoming public through the invention and innovation of the Internet. Accessing the data from the Net is becoming easy. But the Net is also a site of private activities and transactions. At certain extent, eavesdroppers are able to access and avail the information in the Web that is supposed to be private or confidential. Laws concerning hacking and other “illegal” access of sensitive information are limited and lacking at the international scale. Thus, information assurance was given birth as a response to the threat of hacking and stealing vital information, especially data from particular high-profile government or institution. The definitions and practices pertaining to information assurance, on the other hand, are multifaceted and multifarious. Like the complicated Web and its laws, if there are any, the information assurance is an intricate field of human knowledge. This paper discusses the numerous and various definitions of the concept called information assurance (hereinafter IA). It also examines the security services prominent in the information assurance. Of Definitions There are numerous definitions or categorization to the concept of “information assurance.” Most of these definitions are defined or categorized by various U.S. government institutions such as the U.S. Air Force, the National Defense University, the Pentagon, among other institutions. The U.S. Air Force, for one, categorizes the term information assurance as a representation of “measures to protect friendly information systems by preserving the availability, integrity, and confidentiality of the systems and the information contained within the systems” (as cited in Curts & Campbell, 2002, pp. 1-2). What is peculiar in this definition of IA is the description of the information systems as something friendly. Perhaps the word “friendly” is a common terminology used by the men and women of the U.S. Air Force -- example is the famous phrase friendly fire. In general, IA is defined by the said institution as ways of protecting relevant data or vital information via the preservation of the CIA of the systems; CIA is an acronym for confidentiality, integrity, and availability. (The emphasis of Curts and Campbell’s IA is on the protection through preservation.) On the one hand, the Pentagon’s Office of the Secretary of Defense categorizes IA in this fashion: “Informational assurance is the component of information operations that assures the Department of Defense’s operational readiness by providing for the continuous availability and reliability of information systems and networks” (as cited in Curts & Campbell, 2002, p. 2). Here, the definition of the phrase “information assurance” centers on, as the phrase implies, the assurance of readiness via the provision of availability and reliability of information systems or networks. In contrast to the U.S. Air Force’s, the Pentagon views IA as an assurance -- not as a protection of authenticity -- for availability and reliability of the systems and/or networks. Further, Pentagon’s concept of information assurance is contextualized -- that is, the praxis of IA largely belongs to certain operational activities or transactions by its Department of Defense. The National Defense University (NDU), on the other hand, describes IA as “information operations (IO) that protect and defend information systems by ensuring their integrity, authentication, confidentiality, and non-repudiation” (as cited in Curts & Campbell, 2002, p. 2). Like the Pentagon’s IA, NDU’s information assurance is synonymous or attributed to the information operations. This similarity is grounded on the fact that both institutions, by nature of their office or function, are military in orientation. But unlike the Pentagon’s, IA as outlined by the National Defense University is perceived in terms of protecting and defending the systems or networks through ensuring or ascertaining not only their CIA but also their non-repudiation. As opposed to the U.S. Air Force’s and Pentagon’s definitions of IA, the NDU’s categorization of information assurance is expanded, expansive, and probably detailed -- except for the absence of availability factor. Loeb provides a model for the “definition” of the phrase information assurance; of availability, integrity, authentication, confidentiality, and non-repudiation, he generally calls them security services inherent in IA. Loeb considers IA as a technique in which large organizations utilize in order to “deal with the large volumes of information” (as cited in Curts & Campbell, 2002, p. 2). Of the large organizations, he exemplifies the military institution (e.g., Air Force) as the primary organization or agency that uses, and benefits from, the information assurance. As a whole, the principle or theory of information assurance rests heavily on the five security services, namely, availability, integrity, authentication, confidentiality, and non-repudiation. Of Particulars Availability Of the term “availability,” Qian, Tipper, and Krishnamurthy (2008) categorize such term as used in the IA domain in this fashion: “[It] refers to ensuring that information or computer resources are available to authorized users in a timely manner” (p. 3). That is, availability is a security service in which it secures or ensures that the information systems are, as the word suggests, available to the intended receiver at the time that he or she wants or needs them. In defining availability, perhaps the key words here are “authorized users” and “timely manner.” In this level, IA prohibits the unauthorized users to hack the data or information from viewing, reading, and even corrupting them. Further, availability characterized in information assurance ascertains that the intended receiver has the capacity or ability to open or utilize the information systems at the “timely manner.” On the other hand, Curts and Campbell (2002) view the notion of availability as a state in which the data or information system is (1) in the place wherein it is needed by the authorized person; (2) at the time when the intended receiver needs it; and (3) in the form which the user needs or expects it to be. As opposed to the categorization outlined by Qian et al., Curts and Campbell specifically label the concept of availability not only as a time factor but also as a place and form elements. In the realm of information assurance, availability implies the assurance that the information or networks are at their proper places and forms when the end-user wants or needs them at a particular time-period. Curts and Campbell (2002) add up that availability is fundamentally the “prevention of the unauthorized withholding of information or resources” (p. 3). This can be done through several techniques such as the knowledge of a secret password, PIN number, among other encrypted devices. Integrity Of the signifier “integrity,” Blyth and Kovacich (2006) define such signifier as a standard in which it assures or guarantees the “state of being complete or undivided” that which is related to information system (p. 96). In the field of information assurance, integrity is that facet that protects and defends the completeness of the system or network being sent and received. What is fascinating in the definition of IA by Blyth and Kovacich (2006) is that it sees integrity as a standard or set of rules. That is, the term “integrity” is an aspect or element that ought to be followed. The implication here is that such term or definition departs from the action mode (e.g., assure, insure, etc.) into passive form (i.e., standard as a noun). On the other hand of the scale, Curts and Campbell (2002) consider the idea of integrity as the “assurance that the information that arrives at a destination is the same as the information that was sent, and that if any changes occurred, they are detected and reported” (p. 3). Here, integrity is defined in a clear manner; it ascertains that the data or system in question has the consistency or wholeness in connection with the time it was made and sent by the sender to the time it was received and read by the end-user. Integrity in the realm of information assurance means the avoidance or aversion of the data or information to be corrupted or altered with respect to time, place, and form. Integrity can also occur even when there are changes or alterations made as long as such changes or alterations are detected and reported at a real time. The absence of detecting and reporting certain modifications or alterations within the system or network would imply the disintegration of integrity marked in IA. Authentication Of the term “authentication,” Rao, Gupta, and Upadhyaya (2007) describe it as “any process, either online or off line, by which one party determines whether the other party is who the other party claims to be” (p. 154). Rao et al. (2007) view the notion of authentication as a way or process of knowing or affirming that the two or more parties involved in the activities or transactions related to information assurance are the parties who are intended for such activities. This process, according to Rao et al., has three main categories. They are as follow: something a person (1) knows, (2) has, and (3) is (Rao et al., 2007, pp. 154-155). In essence, the said categories are aspects that pertain to the person’s or party’s knowledge, possession, and inherent nature. In the category of knowledge, an example of this something that the party knows is the secret password. In opening the e-mail address or probably a website owned or operated by the company or parties involved, any intended user or party has the knowledge pertaining to its password. In the category of possession, on the one hand, an example of this something that the party has is the ATM card. One cannot withdraw money from the ATM machine without a card. (As to the PIN number of the ATM card, it largely belongs to the category of knowledge.) On the other hand, an example from the category of inherent nature is the person’s or party’s fingerprint. By and large, these categories or factors are ways of determining that the other person or party is the one who claims and intends him or her to be. In the process, this authenticates the claim of the user under discussion. On the other hand of the scale, Curts and Campbell (2002) provide two major categories or factors: (1) an authentication of user ID and its password; and (2) an authentication known as the digital certificate (p. 3). The primary distinction of categories characterized in authentication between Rao et al. and Curts and Campbell is probably the medium used in practicing or executing information assurance. That is, Curts and Campbell’s categories are directed to the Web-based medium while the categories of Rao et al. are directed both to the Web and the non-Web. Confidentiality Of the word “confidentiality,” Birchall, Ezingeard, McFadzean, Howlin, and Yoxall (2004) define this particular security service as an assurance that the “information is accessible on a need-to-know basis and that unauthorized access is prevented” (p. 5). It seems that the description of confidentiality by Birchall et al. is essentially similar to the definition of availability by Qian et al. Like the idea of availability by Qian et al., Birchall et al. (2010) explain the usage or security service of confidentiality in terms of its need-to-know basis; only the intended receiver or user has the capacity and “right” to access, and avail for, the information or system. Curts and Campbell, however, went further in defining the notion of confidentiality. In contrast to Birchall et al., Curts and Campbell (2002) view confidentiality as the process or method of restricting, or inability of, someone -- or “anyone who [are unintended users or, simply, hackers that] might be able to intercept the data” -- to correctly interpret the meaning of such data or information (p. 4). Here, Curts and Campbell consider the possibility of stealing the information or system. Perhaps the hackers can avail for the system or network; they are able to open and read the data or information in a timely manner. Nevertheless, the security service provided by confidentiality marked in the information assurance hinders the hackers to “interpret its meaning.” Curts and Campbell (2002) have suggested that encryption techniques are applied in the system so that “eavesdroppers will not be able to understand the information” (pp. 4-5). Encryption techniques are methods in which only the intended receiver can not only access or avail the information or data but also understand or interpret such sent information or data. The intended receiver has the knowledge of the appropriate key whose function is to “decrypt the data.” Encrypting the information, Curts and Campbell (2002) say, can be performed in several levels; an instance of which is called the application encryption (p. 5). Non-Repudiation Of the signifier “non-repudiation,” Hill (2010) states that such signifier in the context of information assurance is the notion that the intended user in a particular information transaction cannot be repudiated, refuted, or denied by the other party (i.e., sender) from the fact that he or she (i.e., the intended receiver) has received a transaction or has been sent with such transaction (p. 116). That is, the security service offered by the principle of non-repudiation provides legitimacy to the intended receiver that the transaction or activity is real and actual. The concept of non-repudiation, in effect, helps the end user by affirming, protecting, and defending his or her “right” to information assurance. On the other hand, Hill gives another two definitions of the concept of non-repudiation from the digital security perspective. He states that non-repudiation can also mean: (1) the proof of the origin of the information; and (2) the assurance that the information is genuine (Hill, 2010, p. 116). First, the categorization of non-repudiation as a proof is almost the same to the definition of integrity outlined by Curts and Campbell. Like Curts and Campbell’s integrity, Hill’s non-repudiation traces or calls forth the integrity of a specific data; what has been sent to the intended receiver should be similar or integral to the original data from and by the sender. But unlike Curts and Campbell’s integrity, Hill’s non-repudiation is rather of a proof or evidence that the sender of the data is traceable and determinable. And second, the definition of Hill’s (2010) non-repudiation as the genuineness or correctness of the data greatly speaks of the assurance or guarantee that such data is genuine or correct. With respect to Curts and Campbell’s (2002) idea of non-repudiation, their definition of such idea is likely similar to that of Hill. That is to say, the concept of non-repudiation refers to the senders who “cannot deny at a later date that they actually sent a particular set of data” (Curts & Campbell, 2002, p. 5). Like Hill’s non-repudiation outside the digital security perspective, Curts and Campbell’s non-repudiation is the absence or refutation of denying that the intended user has actually received the data sent by a particular sender. Conclusion Information assurance as a practice is widely used by large organizations such as the military sector. Thence, the definitions or categorizations of information ssurance are largely defined or categorized by such organizations. There are many and varied definitions of the signifier information assurance due primarily to the different objectives and natures characterized in various organizations or institutions. In spite of their variations of categorizing IA, nevertheless, these large organizations (e.g., National Defense University) have certain similarities in terms of their types of security services. In general, there are five security services that fall under the information assurance: availability, integrity, authentication, confidentiality, and non-repudiation. These security services function differently; they have specific objective or meaning in the course of the transaction or project. As a whole, information assurance through its five security services protects and defends the information, data, and/or systems against eavesdroppers, hackers, and other unintended users. References Birchall, D., Ezingeard, J. N., McFadzean, E., Howlin, N., & Yoxall, D. (2004). Information assurance: Strategic alignment and competitive advantage. London: Grist. Blyth, A., & Kovacich, G. L. (2006). Information assurance: Security in the information environment. London: Springer-Verlag. Curts, R. J., & Campbell, D. E. (2002). Building a global information assurance program. Boca Raton, FL: Auerbach. Hill, D. G. (2010). Data protection: Governance, risk management, and compliance. Boca Raton, FL: CRC. Qian, Y., Joshi, J., Tipper, D., Krishnamurthy, P. (2008). Information assurance: Dependability and security in networked systems. Burlington, MA: Morgan Kaufmann. Rao, H. R., Gupta, M., & Upadhyaya, S. J. (2007). Managing information assurance in financial services. Hershey, PA: IGI Global. Read More